feat: add TDS8.0 Support for tedious

.github/workflows/nodejs.yml

@@ -78,7 +78,7 @@ jobs:
 
     - name: Generate TLS Certificate
       run: |
-        openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -keyout ./test/fixtures/mssql.key -out ./test/fixtures/mssql.crt
+        openssl req -x509 -newkey rsa:4096 -nodes -addext "extendedKeyUsage = serverAuth" -subj '/CN=localhost' -keyout ./test/fixtures/mssql.key -out ./test/fixtures/mssql.crt
 
     - name: Start containers
       run: |
@@ -192,10 +192,9 @@ jobs:
       run: |
         Push-Location C:\temp
 
-        Invoke-WebRequest -Uri https://download.microsoft.com/download/3/8/d/38de7036-2433-4207-8eae-06e247e17b25/SQLServer2022-DEV-x64-ENU.exe -OutFile sqlsetup.exe
-        Invoke-WebRequest -Uri https://download.microsoft.com/download/3/8/d/38de7036-2433-4207-8eae-06e247e17b25/SQLServer2022-DEV-x64-ENU.box -OutFile sqlsetup.box
-
-        Start-Process -Wait -FilePath ./sqlsetup.exe -ArgumentList /qs, /x:setup
+        Invoke-WebRequest -Uri https://download.microsoft.com/download/c/c/9/cc9c6797-383c-4b24-8920-dc057c1de9d3/SQL2022-SSEI-Dev.exe -OutFile SQL2022-SSEI-Dev.exe
+        Start-Process -Wait -FilePath ./SQL2022-SSEI-Dev.exe -ArgumentList /ACTION=Download, /MEDIAPATH=C:\temp, /MEDIATYPE=CAB, /QUIET
+        Start-Process -Wait -FilePath ./SQLServer2022-DEV-x64-ENU.exe -ArgumentList /qs, /x:setup
 
         .\setup\setup.exe /q /ACTION=Install /INSTANCENAME=MSSQLSERVER /FEATURES=SQLEngine /UPDATEENABLED=0 /SQLSVCACCOUNT='NT SERVICE\MSSQLSERVER' /SQLSYSADMINACCOUNTS='BUILTIN\ADMINISTRATORS' /TCPENABLED=1 /NPENABLED=0 /IACCEPTSQLSERVERLICENSETERMS /SQLCOLLATION=SQL_Latin1_General_CP1_CI_AS /USESQLRECOMMENDEDMEMORYLIMITS
 
@@ -246,9 +245,10 @@ jobs:
         '-----END CERTIFICATE-----'
         )
         # Output PEM file to the path
-        $output | Out-File -FilePath test\fixtures\mssql.crt -Encoding ascii
+        $output -join "`n" | Out-File -FilePath test\fixtures\mssql.crt -Encoding ascii -NoNewLine
 
     - name: Set up CI configuration
+      shell: bash
       run: |
         mkdir ~/.tedious
 
@@ -270,6 +270,8 @@ jobs:
           }
         }' | jq --arg certificate "$(cat ./test/fixtures/mssql.crt)" '.config.options.cryptoCredentialsDetails.ca |= $certificate' > ~/.tedious/test-connection.json
 
+        cat ~/.tedious/test-connection.json
+
     - name: Upgrade npm
       run: npm install -g npm
       if: ${{ matrix.node-version == '6.x' }}

src/connection.ts

@@ -1,5 +1,6 @@
 import crypto from 'crypto';
 import os from 'os';
+import * as tls from 'tls';
 import { Socket } from 'net';
 import dns from 'dns';
 
@@ -365,7 +366,7 @@ export interface InternalConnectionOptions {
   enableImplicitTransactions: null | boolean;
   enableNumericRoundabort: null | boolean;
   enableQuotedIdentifier: null | boolean;
-  encrypt: boolean;
+  encrypt: string | boolean;
   encryptionKeyStoreProviders: KeyStoreProviderMap | undefined;
   fallbackToDefaultDb: boolean;
   instanceName: undefined | string;
@@ -660,11 +661,12 @@ export interface ConnectionOptions {
   enableQuotedIdentifier?: boolean;
 
   /**
-   * A boolean determining whether or not the connection will be encrypted. Set to `true` if you're on Windows Azure.
+   * A string value that can be only set to 'strict', which indicates the usage TDS 8.0 protocol. Otherwise,
+   * a boolean determining whether or not the connection will be encrypted.
    *
-   * (default: `false`)
+   * (default: `true`)
    */
-  encrypt?: boolean;
+  encrypt?: string | boolean;
 
   /**
    * By default, if the database requested by [[database]] cannot be accessed,
@@ -818,6 +820,10 @@ export interface ConnectionOptions {
    */
   trustServerCertificate?: boolean;
 
+  /**
+   *
+   */
+  serverName?: string;
   /**
    * A boolean determining whether to return rows as arrays or key-value collections.
    *
@@ -1479,10 +1485,11 @@ class Connection extends EventEmitter {
 
         this.config.options.enableQuotedIdentifier = config.options.enableQuotedIdentifier;
       }
-
       if (config.options.encrypt !== undefined) {
         if (typeof config.options.encrypt !== 'boolean') {
-          throw new TypeError('The "config.options.encrypt" property must be of type boolean.');
+          if (config.options.encrypt !== 'strict') {
+            throw new TypeError('The "encrypt" property must be set to "strict", or of type boolean.');
+          }
         }
 
         this.config.options.encrypt = config.options.encrypt;
@@ -1642,6 +1649,13 @@ class Connection extends EventEmitter {
         this.config.options.trustServerCertificate = config.options.trustServerCertificate;
       }
 
+      if (config.options.serverName !== undefined) {
+        if (typeof config.options.serverName !== 'string') {
+          throw new TypeError('The "config.options.serverName" property must be of type string.');
+        }
+        this.config.options.serverName = config.options.serverName;
+      }
+
       if (config.options.useColumnNames !== undefined) {
         if (typeof config.options.useColumnNames !== 'boolean') {
           throw new TypeError('The "config.options.useColumnNames" property must be of type boolean.');
@@ -1967,21 +1981,52 @@ class Connection extends EventEmitter {
 
     connect(connectOpts, dns.lookup, signal).then((socket) => {
       process.nextTick(() => {
-        socket.on('error', (error) => { this.socketError(error); });
-        socket.on('close', () => { this.socketClose(); });
-        socket.on('end', () => { this.socketEnd(); });
-        socket.setKeepAlive(true, KEEP_ALIVE_INITIAL_DELAY);
+        const secureContext = tls.createSecureContext(this.secureContextOptions);
+        if (this.config.options.encrypt === 'strict') {
+          const encryptOptions = {
+            host: this.config.server,
+            socket: socket,
+            ALPNProtocols: ['tds/8.0'],
+            secureContext: secureContext,
+            servername: this.config.options.serverName ? this.config.options.serverName : this.config.server,
+          };
+          const encryptsocket = tls.connect(encryptOptions, () => {
+            socket = encryptsocket;
+
+            socket.on('error', (error) => { this.socketError(error); });
+            socket.on('close', () => { this.socketClose(); });
+            socket.on('end', () => { this.socketEnd(); });
+            socket.setKeepAlive(true, KEEP_ALIVE_INITIAL_DELAY);
+
+            this.messageIo = new MessageIO(socket, this.config.options.packetSize, this.debug);
+
+            this.socket = socket;
+
+            this.closed = false;
+            this.debug.log('connected to ' + this.config.server + ':' + this.config.options.port);
+
+            this.sendPreLogin();
+            this.transitionTo(this.STATE.SENT_PRELOGIN);
+          });
+
+          console.log('using TDS 8.0 strict TLS encryption');
+        } else {
+          socket.on('error', (error) => { this.socketError(error); });
+          socket.on('close', () => { this.socketClose(); });
+          socket.on('end', () => { this.socketEnd(); });
+          socket.setKeepAlive(true, KEEP_ALIVE_INITIAL_DELAY);
 
-        this.messageIo = new MessageIO(socket, this.config.options.packetSize, this.debug);
-        this.messageIo.on('secure', (cleartext) => { this.emit('secure', cleartext); });
+          this.messageIo = new MessageIO(socket, this.config.options.packetSize, this.debug);
+          this.messageIo.on('secure', (cleartext) => { this.emit('secure', cleartext); });
 
-        this.socket = socket;
+          this.socket = socket;
 
-        this.closed = false;
-        this.debug.log('connected to ' + this.config.server + ':' + this.config.options.port);
+          this.closed = false;
+          this.debug.log('connected to ' + this.config.server + ':' + this.config.options.port);
 
-        this.sendPreLogin();
-        this.transitionTo(this.STATE.SENT_PRELOGIN);
+          this.sendPreLogin();
+          this.transitionTo(this.STATE.SENT_PRELOGIN);
+        }
       });
     }, (err) => {
       this.clearConnectTimer();
@@ -2231,10 +2276,12 @@ class Connection extends EventEmitter {
    * @private
    */
   sendPreLogin() {
-    const [ , major, minor, build ] = /^(\d+)\.(\d+)\.(\d+)/.exec(version) ?? [ '0.0.0', '0', '0', '0' ];
-
+    const [, major, minor, build] = /^(\d+)\.(\d+)\.(\d+)/.exec(version) ?? ['0.0.0', '0', '0', '0'];
     const payload = new PreloginPayload({
-      encrypt: this.config.options.encrypt,
+      // If encrypt setting is set to 'strict', then we should have already done the encryption before calling
+      // this function. Therefore, the encrypt will be set to false here.
+      // Otherwise, we will set encrypt here based on the encrypt Boolean value from the configuration.
+      encrypt: typeof this.config.options.encrypt === 'boolean' && this.config.options.encrypt,
       version: { major: Number(major), minor: Number(minor), build: Number(build), subbuild: 0 }
     });
 
@@ -3155,16 +3202,15 @@ Connection.prototype.STATE = {
         if (preloginPayload.fedAuthRequired === 1) {
           this.fedAuthRequired = true;
         }
-
-        if (preloginPayload.encryptionString === 'ON' || preloginPayload.encryptionString === 'REQ') {
+        if ('strict' !== this.config.options.encrypt && (preloginPayload.encryptionString === 'ON' || preloginPayload.encryptionString === 'REQ')) {
           if (!this.config.options.encrypt) {
             this.emit('connect', new ConnectionError("Server requires encryption, set 'encrypt' config option to true.", 'EENCRYPT'));
             return this.close();
           }
 
           try {
             this.transitionTo(this.STATE.SENT_TLSSSLNEGOTIATION);
-            await this.messageIo.startTls(this.secureContextOptions, this.routingData?.server ?? this.config.server, this.config.options.trustServerCertificate);
+            await this.messageIo.startTls(this.secureContextOptions, this.config.options.serverName ? this.config.options.serverName : this.routingData?.server ?? this.config.server, this.config.options.trustServerCertificate);
           } catch (err: any) {
             return this.socketError(err);
           }

src/tds-versions.ts

@@ -3,7 +3,8 @@ export const versions: { [key: string]: number } = {
   '7_2': 0x72090002,
   '7_3_A': 0x730A0003,
   '7_3_B': 0x730B0003,
-  '7_4': 0x74000004
+  '7_4': 0x74000004,
+  '8_0': 0x08000000
 };
 
 export const versionsByValue: { [key: number]: string } = {};

test/integration/connection-test.js

@@ -9,6 +9,7 @@ const os = require('os');
 import Connection from '../../src/connection';
 import { ConnectionError, RequestError } from '../../src/errors';
 import Request from '../../src/request';
+import { versions } from '../../src/tds-versions';
 
 function getConfig() {
   const config = JSON.parse(
@@ -530,24 +531,45 @@ describe('Ntlm Test', function() {
 });
 
 describe('Encrypt Test', function() {
-  it('should encrypt', function(done) {
-    const config = getConfig();
-    config.options.encrypt = true;
-
+  /**
+   * @this {Mocha.Context}
+   * @param {Mocha.Done} done
+   * @param {import("../../src/connection").ConnectionConfiguration} config
+   * @param {string} tdsKey
+   * @returns {void}
+   */
+  function runEncryptTest(done, config, tdsKey) {
     const connection = new Connection(config);
 
     connection.connect(function(err) {
       assert.ifError(err);
+      connection.execSql(request);
+    });
 
-      connection.close();
+    const request = new Request(
+      `SELECT c.protocol_version
+       FROM sys.dm_exec_connections AS c
+       JOIN sys.dm_exec_sessions AS s
+       ON c.session_id = s.session_id
+       WHERE c.session_id = @@SPID`, (err, rowCount) => {
+        assert.ifError(err);
+        assert.strictEqual(rowCount, 1);
+
+        connection.close();
+      });
+
+    request.on('row', function(columns) {
+      //  console.log(versions[tdsKey],columns[0].value)
+      assert.strictEqual(columns.length, 1);
+      assert.strictEqual(versions[tdsKey], columns[0].value);
     });
 
     connection.on('end', function() {
       done();
     });
 
     connection.on('databaseChange', function(database) {
-      assert.strictEqual(database, config.options.database);
+      assert.strictEqual(database, config.options?.database);
     });
 
     connection.on('secure', function(cleartext) {
@@ -560,9 +582,19 @@ describe('Encrypt Test', function() {
       // console.log("#{info.number} : #{info.message}")
     });
 
-    return connection.on('debug', function(text) {
+    connection.on('debug', function(text) {
       // console.log(text)
     });
+  }
+  it('should encrypt', function(done) {
+    const config = getConfig();
+    config.options.encrypt = true;
+    runEncryptTest.call(this, done, config, '7_4');
+  });
+  it('encrypt with TDS8.0', function(done) {
+    const config = getConfig();
+    config.options.encrypt = 'strict';
+    runEncryptTest.call(this, done, config, '8_0');
   });
 });
 

test/unit/connection-config-validation.js

@@ -94,4 +94,40 @@ describe('Connection configuration validation', function() {
       new Connection(config);
     });
   });
+
+  it('bad encrypt value type', () => {
+    const numberEncrypt = 0;
+    config.options.encrypt = numberEncrypt;
+    assert.throws(() => {
+      new Connection(config);
+    });
+  });
+
+  it('bad encrypt string', () => {
+    config.options.encrypt = 'false';
+    assert.throws(() => {
+      new Connection(config);
+    });
+  });
+
+  it('good false encrypt value', () => {
+    config.options.encrypt = false;
+    const connection = new Connection(config);
+    assert.strictEqual(connection.config.options.encrypt, false);
+    ensureConnectionIsClosed(connection, () => {});
+  });
+
+  it('good true encrypt value', () => {
+    config.options.encrypt = true;
+    const connection = new Connection(config);
+    assert.strictEqual(connection.config.options.encrypt, true);
+    ensureConnectionIsClosed(connection, () => {});
+  });
+
+  it('good strict encrypt value', () => {
+    config.options.encrypt = 'strict';
+    const connection = new Connection(config);
+    assert.strictEqual(connection.config.options.encrypt, 'strict');
+    ensureConnectionIsClosed(connection, () => {});
+  });
 });